Hello community,

here is the log from the commit of package p7zip for openSUSE:Factory checked 
in at 2018-02-12 10:11:02
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/p7zip (Old)
 and      /work/SRC/openSUSE:Factory/.p7zip.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "p7zip"

Mon Feb 12 10:11:02 2018 rev:38 rq:575306 version:16.02

Changes:
--------
--- /work/SRC/openSUSE:Factory/p7zip/p7zip.changes      2018-01-30 
15:39:32.276234584 +0100
+++ /work/SRC/openSUSE:Factory/.p7zip.new/p7zip.changes 2018-02-12 
10:11:08.746303797 +0100
@@ -1,0 +2,6 @@
+Tue Feb  6 15:13:23 UTC 2018 - kstreit...@suse.com
+
+- add p7zip-16.02-CVE-2017-17969.patch to fix a heap-based buffer
+  overflow in a shrink decoder [bnc#1077725], [CVE-2017-17969]
+
+-------------------------------------------------------------------

New:
----
  p7zip-16.02-CVE-2017-17969.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ p7zip.spec ++++++
--- /var/tmp/diff_new_pack.AzeK9p/_old  2018-02-12 10:11:09.610272661 +0100
+++ /var/tmp/diff_new_pack.AzeK9p/_new  2018-02-12 10:11:09.610272661 +0100
@@ -26,7 +26,7 @@
 License:        LGPL-2.1+
 Group:          Productivity/Archiving/Compression
 Url:            http://p7zip.sourceforge.net/
-# Update note: RAR sources need to be removed from the package because of the 
incompatibe licence
+# Update note: RAR sources need to be removed from the package because of the 
incompatible licence
 # Run the following commands after each package update to remove them
 # export VERSION=16.02
 # wget 
http://downloads.sourceforge.net/project/p7zip/p7zip/${VERSION}/p7zip_${VERSION}_src_all.tar.bz2
@@ -37,8 +37,10 @@
 # rm -rf p7zip_${VERSION}_src_all.tar.bz2
 Source:         p7zip_%{version}_src_all-norar.tar.bz2
 Patch1:         CVE-2016-9296.patch
-# PATCH-FIX-SUSE bnc#1077978 kstreit...@suse.comĀ -- adjust makefile not to use 
CPP/7zip/Compress/Rar* files
+# PATCH-FIX-SUSE bnc#1077978 kstreit...@suse.com -- adjust makefile not to use 
CPP/7zip/Compress/Rar* files
 Patch2:         p7zip_16.02_norar.patch
+# PATCH-FIX-UPSTREAM bnc#1077725 kstreit...@suse.com -- fix heap-based buffer 
overflow in a shrink decoder
+Patch3:         p7zip-16.02-CVE-2017-17969.patch
 BuildRequires:  gcc-c++
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 %if %{with buildgui}
@@ -81,6 +83,7 @@
 %setup -q -n %{name}_%{version}
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
 
 %ifarch x86_64
 cp makefile.linux_amd64_asm makefile.machine

++++++ p7zip-16.02-CVE-2017-17969.patch ++++++
Index: p7zip_16.02/CPP/7zip/Compress/ShrinkDecoder.cpp
===================================================================
--- p7zip_16.02.orig/CPP/7zip/Compress/ShrinkDecoder.cpp
+++ p7zip_16.02/CPP/7zip/Compress/ShrinkDecoder.cpp
@@ -121,7 +121,12 @@ HRESULT CDecoder::CodeReal(ISequentialIn
     {
       _stack[i++] = _suffixes[cur];
       cur = _parents[cur];
+      if (cur >= kNumItems || i >= kNumItems)
+        break;
     }
+
+    if (cur >= kNumItems || i >= kNumItems)
+      break;
     
     _stack[i++] = (Byte)cur;
     lastChar2 = (Byte)cur;

Reply via email to